Subject: Off-by-one reading offset (found by oss-fuzz)
Origin: FILE5_30-56-g6623a8e0 <https://github.com/file/file/commit/FILE5_30-56-g6623a8e0>
Upstream-Author: Christos Zoulas <christos@zoulas.com>
Date: Sun Apr 30 17:05:02 2017 +0000

--- a/src/cdf.c
+++ b/src/cdf.c
@@ -861,7 +861,7 @@
 		DPRINTF(("Past end %p < %p\n", e, p));
 		return NULL;
 	}
-	if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
+	if (cdf_check_stream_offset(sst, h, p, (tail + 1) * sizeof(uint32_t),
 	    __LINE__) == -1)
 		return NULL;
 	ofs = CDF_GETUINT32(p, tail);